final cleanup of csrf decoupling in #2854
- Renamed `SessionCSRFStoragePolicy` to `LegacySessionCSRFStoragePolicy` for
the version that uses the legacy `ISession.get_csrf_token` and
`ISession.new_csrf_token` apis and set that as the default.
- Added new `SessionCSRFStoragePolicy` that stores data in the session
similar to how the `SessionAuthenticationPolicy` works.
- `CookieCSRFStoragePolicy` did not properly return the newly generated
token from `get_csrf_token` after calling `new_csrf_token`. It needed
to cache the new value since the response callback does not affect
the current request.
- `CookieCSRFStoragePolicy` was not forwarding the `domain` value to the
`CookieProfile` causing that setting to be ignored.
- Removed `check_csrf_token` from the `ICSRFStoragePolicy` interface
to simplify implementations of storage policies.
- Added an introspectable item for the configured storage policy so that
it appears on the debugtoolbar.
- Added a change note on `ISession` that it no longer required the csrf methods.
- Leave deprecated shims in ``pyramid.session`` for
``check_csrf_origin`` and ``check_csrf_token``.